I am using a Red Hat Enterprise 5 Linux box. I find if a user is in /etc/sudoers file, then if the user run command with sudo, the user will run this command with root privilege (without knowing root password, the user runs sudo only need to input the user's own password in order to run a command with sudo). Is that correct understanding?

If yes, then is it a security hole? Since users other than root could run with root privilege?

This question came from our site for professional and enthusiast programmers.

Just beware: if you allow a user to run as root a command that can run other commands (i.e. bash), he'll just be root. If you allow to run as root commands that write arbitrary files, he'll be root anyway.
–
LohorisMay 11 '10 at 20:10

7 Answers
7

The sudo command allows one user to run commands with the privileges of another. The other user can be root or it can be someone else, but the default is root. It was designed for this purpose, has many configuration options to help lock things down in a variety of ways, and has been vetted over many years by a lot of people. It's not appropriate for all security problems, but used properly, it can be an highly useful tool. However, if not used properly, it can create more problems than it solves.

sudoers do not automatically have access as root. They have access as the configured user. It is possible and correct to provide users access to run tools as other non-root usres.

Any users who have access to run a shell or a command that can give shell access should be the users you would trust with the root password. With sudo it is possible to run a system without a root password. All uses of sudo is logged, which is not the case with commands run as root.

As noted it is possble to limit access to specific comands. The example sudoers has a number of command sets you might want to grant to specific users who need to do task requiring root privileges. By using sudo it is possible to allow this without giving them the root password.

Anyone who can run a script or command with root privleges, which they can change has effectively been given root access. You need to trust these people, or don't give them the access.

There are a large number of task which require root access. With sudo you can safely delegate these task to backup operators, webmasters, etc.

Sudo is far more secure that the alternatives. If misconfigured, or if incorrect access is given to untrusted users it is a security risk (hole).

sudo is secure - secure enough for some distributions (Ubuntu) to use and recommend it by default.

That said, if you give blanket sudo rights to a user it largely removes the separation you have between that account and a root account. If you give blanket sudo rights to user timmy, for example, the timmy account becomes as privileged as the root account. Anyone who breaks into timmy's account can do anything as root (in most cases, timmy's password is needed).

Pro-sudo arguments

Usually set up so that nobody can log in as the user called "root". Can make it harder to brute-force a superuser login.

You can have fine-grained control over which commands a user can execute as superuser (though usually you'd give all privileges to one account, which effectively serves the same role as "root" with a different name).

Removes the temptation to just stay logged in as root, when not all commands you run need superuser privileges.

Anti-sudo arguments

sudo might be seen to encourage the practice of handing out superuser-level privileges to users, which is probably not a good idea.

sudo is a little more complicated to set up because it is so flexible. While this allows you to make it nice and secure, it can also make it easier to inadvertently open up security gaps if you're not careful or don't understand what you're doing.

It can be seen as a bad idea in general to use an account with superuser privileges for everyday use, and having sudo privileges is the next best thing. A counter-argument to this is that the your user password is (in most cases) still required to elevate to superuser status, and this is not likely to be known to intruders/errant processes running as you.

Essentially they are just two different schools of thought, both valid enough to have whole distributions backing their own approach.

I'm more comfortable with the non-sudo approach, mainly because that's what I'm more familiar with as a Debian user. I find the simplicity of having a root account over the flexibility of sudo wins for me. I don't allow root login remotely (ie via SSH) and I recommend that nobody else should, either.

I think it's better for security than being logged in as root, as there isn't convenient to do things as root. It's certainly better for accountability, which is part of security.

You do have to restrict who would use it. Typically, you limit it to people who would know the root password anyway, although it's possible to get fancier and limit what specific people can do.

The security issue that bothers me is that it is not necessary to enter my password for every sudo command; if I enter another few from the same terminal without much time elapsing, it accepts the sudo without the password. This is presumably to avoid making me continuously entering my password, but it's conceivable that some bad-guy userland software could exploit that. I don't know enough to evaluate the risk, personally.

Sudo is very configurable, so it's easy to reduce the timeout for remembering the password. Just edit the /etc/sudoers file and modify the Defaults line to look for example like this for a 2 minute timeout: Defaults env_reset,timestamp_timeout=2
–
Martijn HeemelsMay 11 '10 at 15:44

You mean all users in sudoers file is admin?
–
George2May 11 '10 at 12:35

3

@George2: Yes and no. All users that appear in sudoers (or belong to groups that are listed in sudoers) can use sudo. As I said, you can restrict the commands they might sudo. In short: All users that need to execute at least one command with elevated privileges should be in /etc/sudoers. Whether these people are call admins or not is up to you ;)
–
ereOnMay 11 '10 at 12:45

Hacker users (suppose the user already has permission to run sudo) could add other hacker users to this file, is it a security hole?
–
George2May 11 '10 at 12:36

10

@George2: If a hacker has a root access to your server (using sudo or anything else, it doesn't matter) it is game over already anyway.
–
ereOnMay 11 '10 at 12:48

3

If a hacker gets the password of a user that has full sudo privileges, then they can become root. Therefore, only give sudo privileges to users who you trust to handle their account securely. For example, we only allow sudo for admins who use certificates to login.
–
Martijn HeemelsMay 11 '10 at 15:48